I may not be Emily's only correspondent, sadly. Public results for these files' hashes are pretty damning. For example if we query the earliest in the set, photo/photo.exe with SHA256 937687... on VirusTotal we see detection ratio of 40/55 scanners, plus 4 votes against it (not many VT users vote). checking the hash of the most recent sample, good ol' 7e652099...shows even higher detection rates 42/55 and 5 no votes. The larger sample 133c3... has lower detection on VT but still looks like a bad thing with 33/55 detecting malware and 3 votes against.

There's behavioural data for some of these samples aggregated from multiple analysis runs. They don't tell me much other than that the analysis system is using VirtualBox.

Monkeys?

Another sample submitted this week is interesting because it's a CIL ("Dot Net framework") class assembly, apparently from Visual Basic Dot Net according to pedump and file:

A VT lookup of this sample by hash shows that most engines consider it a nasty trojan with 40/55 detecting and 21:0 votes against from the community. It's listed using the internal name of 'QjvZVBkVM' from the PE headers, but our sample's transact_store file name is listed in the VT Additional Information tab as one of its aliases.

Since I don't have a full on Cuckoo sandbox setup yet at home, I'll check with the public one at Malwr and in fact they have two analysis of these file (hash) to peruse. You need a free account to be able to search their database, no doubt out of self-defense of the network and computing resources.

The Cuckoo & community rules in that Malwr.com analysis run tell us some interesting things about our sample, namely:

File has been identified by at least one AntiVirus on VirusTotal as malicious

Installs itself for autorun at Windows startup

For further detail their report has extensive static and behavioural analysis, tracking the creation of a sub-process and the persistence attempts. Malwr's sandbox didn't log any network activity.

More photos and a nice behavioural analysis from Malwar

Yesterday I got another missive from Emily with different characteristics:

nets us a Malwr (Cuckoo) analysis with some interesting details. In the Behavioural Analysis on page 1 of 5 we can visually scan for file activity by colour (beige?) to find interesting tidbits like photo.exe reading XML configs from windows and then writing a config file

C:\DOCUME~1\User\LOCALS~1\Temp\photo.exe.config

On page 2, still just looking at Files (beige?) we see that it wants but fails updates/creates new version of several system DotNetFramework and CLR security configuration files:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config

Later on there is some complicated and scary looking stuff where device ids are scraped from the registry and a bunch of encoded content (complete with blocks of nulls) are read from the device. Then it checks the reg keys and the filesystems again for itself, as if to satisfy itself on success.

Which might not sound too bad, but after that it writes some of the same encoded stuff to the photo.exe file, calls a bunch of cryptography libraries (to decrypt / check signatures?) and then proceeds to make the changes to the DotNet security configs it tried earlier and succeed?!

After a lot more registry reading and some specifics with DotNet form and security libraries that kinda look like it was looking for a specific version of one (probably not good) it then creates a new process and loads the contents of photos.exe from disk with the encoded blocks in play here and the PE executable into memory for execution.

If we now review the complete list of touched/sought files on the Overview page we have a much better understanding of what it wanted with those files, and some big hints about some of the bug's capabilities, techniques, and intent. So you not only have some raw indicators to plugin to a tool but some context to make them useful.

A little understanding and sometime a lot of searching can deliver some really valuable insights into samples with these public tools without you needing to do any reversing or hex maths yourself, so give it a try!

This page was generated in about
0.005s by
Fossil version [9c65b5432e] 2015-05-23 11:11:31